gnutls: Backport fix for CVE-2024-0553

CVE-2024-0553 A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e] (From OE-Core rev: a07cc0b6fa4a485f318fd2957e434b63f5907d7e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-01-23 11:10:38 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-01-31 03:51:10 -1000
commit: 574b30350364287ca9c29f44174d8448f140b278 (patch)
tree: d29cb555751f1a315cadbcf69c08ed78552e1e96
parent: bffa4f3051a7cae61ccb63b6d711e94f633ae32f (diff)
download: poky-574b30350364287ca9c29f44174d8448f140b278.tar.gz
2 files changed, 126 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
new file mode 100644
index 0000000000..f15c470879
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
+From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
+CVE: CVE-2024-0553
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9..c6cfb92 100644
+--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+        int ret, dsize;
+        ssize_t data_size = _data_size;
+        gnutls_psk_server_credentials_t cred;
+-       gnutls_datum_t premaster_secret = { NULL, 0 };
+        volatile uint8_t ver_maj, ver_min;
+ 
+        cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+        ver_maj = _gnutls_get_adv_version_major(session);
+        ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-       premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-       if (premaster_secret.data == NULL) {
+       /* Find the key of this username. A random value will be
+        * filled in if the key is not found.
+        */
+       ret = _gnutls_psk_pwd_find_entry(session, info->username,
+                                        strlen(info->username), &pwd_psk);
+       if (ret < 0)
+               return gnutls_assert_val(ret);
+
+       /* Allocate memory for premaster secret, and fill in the
+        * fields except the decryption result.
+        */
+       session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
+       session->key.key.data = gnutls_malloc(session->key.key.size);
+       if (session->key.key.data == NULL) {
+                gnutls_assert();
+               _gnutls_free_key_datum(&pwd_psk);
+               /* No need to zeroize, as the secret is not copied in yet */
+               _gnutls_free_datum(&session->key.key);
+                return GNUTLS_E_MEMORY_ERROR;
+        }
+-       premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+        /* Fallback value when decryption fails. Needs to be unpredictable. */
+-       ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-                        premaster_secret.size);
+       ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
+                        GNUTLS_MASTER_SIZE);
+        if (ret < 0) {
+                gnutls_assert();
+-               goto cleanup;
+               _gnutls_free_key_datum(&pwd_psk);
+               /* No need to zeroize, as the secret is not copied in yet */
+               _gnutls_free_datum(&session->key.key);
+               return ret;
+        }
+ 
+       _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
+       _gnutls_write_uint16(pwd_psk.size,
+                            &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
+       memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
+              pwd_psk.size);
+       _gnutls_free_key_datum(&pwd_psk);
+
+        gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+-                                    &ciphertext, premaster_secret.data,
+-                                    premaster_secret.size);
+                                    &ciphertext, session->key.key.data + 2,
+                                    GNUTLS_MASTER_SIZE);
+        /* After this point, any conditional on failure that cause differences
+         * in execution may create a timing or cache access pattern side
+         * channel that can be used as an oracle, so tread carefully */
+@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+        /* This is here to avoid the version check attack
+         * discussed above.
+         */
+-       premaster_secret.data[0] = ver_maj;
+-       premaster_secret.data[1] = ver_min;
+       session->key.key.data[2] = ver_maj;
+       session->key.key.data[3] = ver_min;
+ 
+-       /* find the key of this username
+-        */
+-       ret =
+-           _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+-       if (ret < 0) {
+-               gnutls_assert();
+-               goto cleanup;
+-       }
+-
+-       ret =
+-           set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
+-       if (ret < 0) {
+-               gnutls_assert();
+-               goto cleanup;
+-       }
+-
+-       ret = 0;
+-      cleanup:
+-       _gnutls_free_key_datum(&pwd_psk);
+-       _gnutls_free_temp_key_datum(&premaster_secret);
+-
+-       return ret;
+       return 0;
+ }
+ 
+ static int
+-- 
+2.25.1
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index 406f0b54c5..a1451daf2c 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
           file://CVE-2021-4209.patch \
           file://CVE-2023-0361.patch \
           file://CVE-2023-5981.patch \
+           file://CVE-2024-0553.patch \
 "
 SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-01-23 11:10:38 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-01-31 03:51:10 -1000
commit	574b30350364287ca9c29f44174d8448f140b278 (patch)
tree	d29cb555751f1a315cadbcf69c08ed78552e1e96
parent	bffa4f3051a7cae61ccb63b6d711e94f633ae32f (diff)
download	poky-574b30350364287ca9c29f44174d8448f140b278.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch new file mode 100644 index 0000000000..f15c470879 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
		1	From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
		2	From: Daiki Ueno <ueno@gnu.org>
		3	Date: Wed, 10 Jan 2024 19:13:17 +0900
		4	Subject: [PATCH] rsa-psk: minimize branching after decryption
		5
		6	This moves any non-trivial code between gnutls_privkey_decrypt_data2
		7	and the function return in _gnutls_proc_rsa_psk_client_kx up until the
		8	decryption. This also avoids an extra memcpy to session->key.key.
		9
		10	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		11
		12	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
		13	CVE: CVE-2024-0553
		14	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		15	---
		16	lib/auth/rsa_psk.c \| 68 ++++++++++++++++++++++++----------------------
		17	1 file changed, 35 insertions(+), 33 deletions(-)
		18
		19	diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
		20	index 93c2dc9..c6cfb92 100644
		21	--- a/lib/auth/rsa_psk.c
		22	+++ b/lib/auth/rsa_psk.c
		23	@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
		24	int ret, dsize;
		25	ssize_t data_size = _data_size;
		26	gnutls_psk_server_credentials_t cred;
		27	- gnutls_datum_t premaster_secret = { NULL, 0 };
		28	volatile uint8_t ver_maj, ver_min;
		29
		30	cred = (gnutls_psk_server_credentials_t)
		31	@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
		32	ver_maj = _gnutls_get_adv_version_major(session);
		33	ver_min = _gnutls_get_adv_version_minor(session);
		34
		35	- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
		36	- if (premaster_secret.data == NULL) {
		37	+ /* Find the key of this username. A random value will be
		38	+ * filled in if the key is not found.
		39	+ */
		40	+ ret = _gnutls_psk_pwd_find_entry(session, info->username,
		41	+ strlen(info->username), &pwd_psk);
		42	+ if (ret < 0)
		43	+ return gnutls_assert_val(ret);
		44	+
		45	+ /* Allocate memory for premaster secret, and fill in the
		46	+ * fields except the decryption result.
		47	+ */
		48	+ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
		49	+ session->key.key.data = gnutls_malloc(session->key.key.size);
		50	+ if (session->key.key.data == NULL) {
		51	gnutls_assert();
		52	+ _gnutls_free_key_datum(&pwd_psk);
		53	+ /* No need to zeroize, as the secret is not copied in yet */
		54	+ _gnutls_free_datum(&session->key.key);
		55	return GNUTLS_E_MEMORY_ERROR;
		56	}
		57	- premaster_secret.size = GNUTLS_MASTER_SIZE;
		58
		59	/* Fallback value when decryption fails. Needs to be unpredictable. */
		60	- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
		61	- premaster_secret.size);
		62	+ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
		63	+ GNUTLS_MASTER_SIZE);
		64	if (ret < 0) {
		65	gnutls_assert();
		66	- goto cleanup;
		67	+ _gnutls_free_key_datum(&pwd_psk);
		68	+ /* No need to zeroize, as the secret is not copied in yet */
		69	+ _gnutls_free_datum(&session->key.key);
		70	+ return ret;
		71	}
		72
		73	+ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
		74	+ _gnutls_write_uint16(pwd_psk.size,
		75	+ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
		76	+ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
		77	+ pwd_psk.size);
		78	+ _gnutls_free_key_datum(&pwd_psk);
		79	+
		80	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
		81	- &ciphertext, premaster_secret.data,
		82	- premaster_secret.size);
		83	+ &ciphertext, session->key.key.data + 2,
		84	+ GNUTLS_MASTER_SIZE);
		85	/* After this point, any conditional on failure that cause differences
		86	* in execution may create a timing or cache access pattern side
		87	* channel that can be used as an oracle, so tread carefully */
		88	@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
		89	/* This is here to avoid the version check attack
		90	* discussed above.
		91	*/
		92	- premaster_secret.data[0] = ver_maj;
		93	- premaster_secret.data[1] = ver_min;
		94	+ session->key.key.data[2] = ver_maj;
		95	+ session->key.key.data[3] = ver_min;
		96
		97	- /* find the key of this username
		98	- */
		99	- ret =
		100	- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
		101	- if (ret < 0) {
		102	- gnutls_assert();
		103	- goto cleanup;
		104	- }
		105	-
		106	- ret =
		107	- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
		108	- if (ret < 0) {
		109	- gnutls_assert();
		110	- goto cleanup;
		111	- }
		112	-
		113	- ret = 0;
		114	- cleanup:
		115	- _gnutls_free_key_datum(&pwd_psk);
		116	- _gnutls_free_temp_key_datum(&premaster_secret);
		117	-
		118	- return ret;
		119	+ return 0;
		120	}
		121
		122	static int
		123	--
		124	2.25.1
		125


diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 406f0b54c5..a1451daf2c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
29	file://CVE-2021-4209.patch \	29	file://CVE-2021-4209.patch \
30	file://CVE-2023-0361.patch \	30	file://CVE-2023-0361.patch \
31	file://CVE-2023-5981.patch \	31	file://CVE-2023-5981.patch \
		32	file://CVE-2024-0553.patch \
32	"	33	"
33		34
34	SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"	35	SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"